Stealing payment card data and PINs from POS systems is dead easy

Lack of authentication and encryption allow attackers to easily steal payment card data and PIN numbers from point-of-sale systems.

Many of the large payment card breaches that hit retail and hospitality businesses in recent years were the result of attackers infecting point-of-sale systems with memory-scraping malware. But there are easier ways to steal this sort of data, due to a lack of authentication and encryption between card readers and the POS payment applications.

POS systems are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers with PIN pads. They also have specialized payment applications installed to handle transactions.

One of the common methods used by attackers to steal payment card data from PoS systems is to infect them with malware, via stolen remote support credentials or other techniques. These malware programs are known as memory or RAM scrapers because they scan the system's memory for credit card data when it's processed by the payment application on the POS system.

But on Tuesday at the BSides conference in Las Vegas, security researchers Nir Valtman and Patrick Watson, from U.S.-based POS and ATM manufacturer NCR, demonstrated a stealthier and more effective attack technique that works against most "payment points of interaction," including card readers with PIN pads and even gas pump payment terminals.

The main issue shared by all of these devices is that they don't use authentication and encryption when sending data back to the POS payment software. This exposes them to man-in-the-middle attacks through external devices that tap the network or serial connection or through "shim software" running the POS system itself.

For their demo, the researchers used a Raspberry Pi device with traffic capture software that taps the data cable between a PIN pad, and a laptop with a payment app simulator. The PIN pad had a custom top cover to hide its make and model; the researchers didn't want to single out a particular vendor since many of them are affected.

While the demo used an external device that could be installed by an insider or a person posing as a technician, attackers can also simply modify a DLL (dynamic-link library) file of the payment app to do the data interception inside the OS itself, if they get remote access to it. A modified DLL that's loaded by the legitimate payment software would be much harder to detect than memory-scraping malware.

point-of-sale POS PIN pad card reader payment Lucian Constantin

Researchers Patrick Watson and Nir Valtman cause a payment terminal to display a fake re-enter PIN prompt.

The NCR researchers showed that not only can attackers use this attack technique to steal the data encoded on a card's magnetic stripe, which can be used to clone it, but they can also trick cardholders to expose their PIN numbers and even the security codes printed on the back of the cards.

Normally PIN pads do encrypt the PIN numbers when transmitting them to the PoS software. This is an industry requirement and manufacturers comply with it.

However, man-in-the-middle attackers can also inject rogue prompts on the PIN pad screen by uploading so-called custom forms. These screen prompts can say whatever the attackers want, for example "Re-enter PIN" or "Enter card security code."

Security professionals might know that they're never supposed to re-enter their PINs or that card security codes, also known as CVV2s, are only needed for online, card-not-present transactions, but regular consumers typically don't know these things, the researchers said.

In fact, they demonstrated this attack method to professionals from the payments industry in the past and 90 percent of them were not suspicious of the PIN re-entry screen, they said.

Some PIN pads have whitelists that restrict which words can appear on custom screens, but many of these whitelists allow the words "please re-enter" and even if they don't, there's a way to bypass the filter as PIN pad custom forms allow images. Attackers could instead simply inject an image with those words, using the same text colour and font that normally appears on the screen.

It's also worth noting that this attack works against card readers and PIN pads that conform to the EMV standard, meaning they support chip-enabled cards. The EMV technology does not prevent attackers from using stolen track data from a chip-enabled card to create a clone and use it in a country that doesn't support EMV yet or on terminals that are not EMV-enabled and only allow card swiping.

Also, EMV has no bearing on e-commerce transactions, so if the attackers gain the card's track data and the card's CVV2 code, they have all the information needed to perform fraudulent transactions online.

For manufacturers, the researchers recommend implementing point-to-point encryption (P2PE), which encrypts the entire connection from the PIN pad all the way back to the payment processor. If P2PE cannot be implemented on existing hardware, vendors should at least consider securing the communication between their PIN pads and the POS software with TLS (Transport Layer Security) and to digitally sign all requests sent back to the PIN pad by the payment application.

Meanwhile, consumers should never, ever, re-enter their PINs on a PIN pad if prompted to do so. They should also read the messages displayed on the screen and be suspicious of those that ask for additional information. Mobile payments with digital wallet services like Apple Pay should be used where possible, because at this point they're safer than using traditional payment terminals.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleRaspberry PiTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place